Reinforcing bad behaviour: the misuse of security indicators on popular websites

Authors:
Douglas Stebila
Affiliations:
Queensland University of Technology, Brisbane, Queensland, Australia
Venue:
Proceedings of the 22nd Conference of the Computer-Human Interaction Special Interest Group of Australia on Computer-Human Interaction
Year:
2010

Citing 9
Cited 4

Users' conceptions of web security: a comparative study

CHI '02 Extended Abstracts on Human Factors in Computing Systems
The battle against phishing: Dynamic Security Skins

SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Gathering evidence: use of visual security cues in web browsers

GI '05 Proceedings of Graphics Interface 2005
What are you looking for?: an eye-tracking study of information usage in web search

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
The Emperor's New Security Indicators

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Exploring User Reactions to New Browser Cues for Extended Validation Certificates

ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Passwords: If We're So Smart, Why Are We Still Using Them?

Financial Cryptography and Data Security
Crying wolf: an empirical study of SSL warning effectiveness

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Visual spoofing of SSL protected web sites and effective countermeasures

ISPEC'05 Proceedings of the First international conference on Information Security Practice and Experience

An empirical study of visual security cues to prevent the SSLstripping attack

Proceedings of the 27th Annual Computer Security Applications Conference
Measuring SSL indicators on mobile browsers: extended life, or end of the road?

ISC'12 Proceedings of the 15th international conference on Information Security
Comparative eye tracking of experts and novices in web single sign-on

Proceedings of the third ACM conference on Data and application security and privacy
Rational interfaces for effective security software: polite interaction guidelines for secondary tasks

UAHCI'13 Proceedings of the 7th international conference on Universal Access in Human-Computer Interaction: design methods, tools, and interaction techniques for eInclusion - Volume Part I

Quantified Score

Hi-index	0.00

Visualization

Abstract

Before making a security or privacy decision, Internet users should evaluate several security indicators in their browser, such as the use of HTTPS (indicated via the lock icon), the domain name of the site, and information from extended validation certificates. However, studies have shown that human subjects infrequently employ these indicators, relying on other indicators that can be spoofed and convey no cryptographic assurances. We identify four simple security indicators that accurately represent security properties of the connection and then examine 125 popular websites to determine if the sites' designs result in correctly displayed security indicators during login. In the vast majority of cases, at least some security indicators are absent or suboptimal. This suggests users are becoming habituated to ignoring recommended security indicators.